Children's Online Privacy Protection Act

From The IT Law Wiki

Citation: Children’s Online Privacy Protection Act, Tit. XIII, Div. C of the FY1999 Omnibus Consolidated and Emergency Supplemental Appropriations Act, Pub. L. No. 105-277.

Contents 1 Overview 2 Key Provisions 3 FTC Activities 4 References

[edit] Overview

With the growth of the Internet in its early years, Congress, the Clinton Administration, and the Federal Trade Commission (FTC) became concerned about protecting the privacy of children under 13 as they visit commercial websites. Not only were there concerns about information children might divulge about themselves, but also about their parents.

The result was the Children’s Online Privacy Protection Act (COPPA).^[1] The Act prohibits unfair and deceptive acts and practices in connection with the collection and use of personally identifiable information from and about children in the Internet.

[edit] Key Provisions

The Act specifies that operators of websites or online services directed to children or an operator who knowingly collect personal information from children:

1. provide parents notice of their information practices;
2. obtain prior, verifiable parental consent for the collection, use and/or disclosure of personal information from children (with certain limited exceptions for the collection of online information, e.g., email address);
3. provide a parent, upon request, with the ability to review personal information collected from his/her child;
4. provide a parent with the opportunity to prevent the further use of personal information that has already been collected, or the future collection of personal information from that child;
5. limit collection of personal information for a child’s online participation in a game, prize offer, or other activity to information that is reasonably necessary for the activity; and
6. establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of the personal information collected.

[edit] FTC Activities

Section 1303 of the Act directed the Federal Trade Commission (FTC) to adopt regulations prohibiting unfair and deceptive acts and practices in connection with the collection and use of personal information from and about children on the Internet. The FTC’s Final Rule implementing the law became effective April 21, 2000.

The FTC adopted a “sliding scale” for complying with the verifiable parental consent requirement depending on how the data would be used. That is, if the information was for internal use only, the verifiable consent could be obtained from the parent by e-mail, plus an additional step to ensure the person giving consent is, in fact, the parent. If the website operator planned to disclose the information publicly or to third parties, a higher standard was set. This sliding scale was set to expire in 2002 with the expectation that better verification technologies would become available. However, in 2002, the FTC determined that such technologies still were not available, and the sliding scale was extended to April 12, 2005. In 2005, the Commission extended it again.^[2]

The Act authorizes the FTC to bring enforcement actions for violations of the Final Rule in the same manner as for other rules defining unfair and deceptive acts or practices under Section 5 of the FTC Act. In addition, Section 1305 authorizes state attorneys general to enforce compliance with the Final Rule by filing actions in federal court after serving prior written notice upon the FTC when feasible.

The law also provides for industry groups or others to develop self-regulatory “safe harbor” guidelines that, if approved by the FTC, can be used by websites to comply with the law. The FTC approved self-regulatory guidelines proposed by the Better Business Bureau on January 26, 2001. On June 11, 2003, then-FTC Chairman Timothy Muris stated in testimony to the Senate Commerce Committee that the FTC had brought eight COPPA cases, and obtained agreements requiring payment of civil penalties totaling more than $350,000.^[3]

As required by COPPA, on April 21, 2005, the Commission issued a request for public comment on its Final Rule, five years after the rule’s effective date. ^[4] Comments were requested on the costs and benefits of the rule; whether it should be retained, eliminated, or modified; and its effect on practices relating to the collection of information relating to children, children’s ability to access information of their choice online, and the availability of websites directed to children.

[edit] References

1. ↑ COPPA should not be confused with COPA — the Child Online Protection Act — which addresses protecting children from unsuitable material, such as pornography, on the Internet.
2. ↑ See “FTC Seeks Public Comment on Children’s Online Privacy Rule,” FTC press release, April 21, 2005.
3. ↑ See Prepared statement of Timothy Muris, Chairman, Federal Trade Commission, at 10.
4. ↑ See “FTC Seeks Public Comment on Children’s Online Privacy Rule,” FTC press release, April 21, 2005.